Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.

"Use the distribution repositories via your package manager, and you will have no such problems. This incident is yet another illustration of this.

And people keep bitching because Apple won't open up the iPhone/iPad to allow for installing apps from outside sources. "

WTF????

Opposite situation. It is better for the outside developer to avail themselves of the resources of the distribution repository. Unlike Apple, this not a case of "your app can't be in our repository" ... where is there any profit in that?

But I say, be careful for what you wish for ... Insofar as Linux goes, it's easy to say that a platform is secure when you just tell people that, to stay secure, you gotta stick to the applications supplied to you by the Distro Gods. And in the case of Linux, as we have seen here, it is even more dangerous to venture outside the sandbox of the distro repository, since any douchebag can screw with the source, recompile it, and offer it on some random server. Better hope whoever downloads it knows about PGP.

The "Distro Gods" are not in the business of trying to limit you. You can get, say, VLC, KDE, MPlayer, Firefox and OpenOffice on Debian, Ubuntu, SuSe, Mandriva and RedHat. It is the same code, it is not re-written dozens of times over by different "Distro Gods". Sheesh!

There are over 25,000 open source packages in Debian/Ubuntu repositories. This is hardly a case of anyone "playing God" and trying to somehow short-change you.

But, anyway, if your application is too obscure for a distribution to accept it (because after all they would have to devote resources to it if they did accept it) ... then you can still sign your packages and host them in a format suitable for delivery via end users package managers anyway. The only weakness here is that end users must add a URL to your distribution server in their software sources list, and they must obtain your public key securely from somewhere. There are key servers for that latter purpose.

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

I didn't say they were. Only thing I am saying is that, if you stick to your distro's repository, they are ultimately in control over what gets installed on your system. This is not really any different than the Apple app store.. Sure, their motives might be different (whereas Apple may decide a particular app goes against their profit motive, the Distro Gods may decide that the app is just not popular enough to worry about), but the choice of what you can install is still in the hands of somebody else, unless you seek outside sources, in which case you're opening yourself up to security issues.

This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

No, but they'd have to know about sudo, apt-get, package managers, and key servers. Somehow, that doesn't seem a whole lot less complicated.

"For example, if you want a version of Firefox-3.7 that includes WebM, right now, today, then here you go: https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa Open a terminal and enter: sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa sudo apt-get update sudo apt-get install firefox-3.7 This will install a GPG signed version of Mozilla 3.7 nightly build on your Ubuntu system, using the apt package manager, independent of Ubuntu's repositories. The end user does not have to know anything about GPG. The first command, add-apt-repository, gets a key for the ppa from a trusted keyserver.

No, but they'd have to know about sudo, apt-get, package managers, and key servers. Somehow, that doesn't seem a whole lot less complicated. "

Not at all. Users need to know only:
(1) How to "Open a terminal",
(2) How to highlight a line of text from this very web page as they are reading it,
(3) How to paste that copied text into the terminal application (hint: middle-click anywhere in the terminal window area)
(4) their password

They do that three times, once for each line (actually, they need to know their password only for the first line), and they are done.

It sin't hard. Select each line of text, one line at a time, in order, for the following three lines:

Then middle-click anywhere in the terminal window after each selection has been made.

Users don't even need to know how to type (except for their password, once only).

There is also a GUI way to do the same thing using Synaptic, but that is actually harder to describe on a text-based web forum such as this, and harder for users to actually carry out.

Anyway, had the vendors of the app which is the subject of this thread simply opened a launchpad.net account and copied their source tree there, this trojan would have been avoided for Ubuntu/Kubuntu users.

There was a huge shipment of Windows boxed copies on it's way to retail stores that got stopped by police a few years back. All counterfeit and riddled with malware. You can't even trust hardcopy distribution these days.. eesh..